[squid-users] renegotiation

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 2 13:30:48 UTC 2017

On 3/02/2017 2:09 a.m., Vieri wrote:
> Hi,
> I'm running Squid 4 beta.
> # squid -v
> Squid Cache: Version 4.0.17-20170122-r14968
> I tested the following where Squid is listening on port 443 in accel mode.
> # echo "R" | openssl s_client -connect 2>&1 3>&1 | grep RENEGOTIATING
> How can I disable client renegotiation?

For what reason is complete disable needed?

Renegotiating to an insecure version or cipher set is an issue to be
fixed by configuring tls-min-version=1.Y and tls-options= disabling
unwanted ciphers etc.

The potential DoS related to renegotiation is now prevented by rate

The current generation of OpenSSL libraries (1.0+) all contain built-in
protection from older forms of renegotiate that had other CVE issues.


More information about the squid-users mailing list